More Security Vendors Admit to SolarWinds Attacks

Written by

Several more cybersecurity vendors have revealed that they were attacked by the same threat actors that compromised SolarWinds, although there appears to have been minimal if any impact on customers.

Mimecast revealed a couple of weeks ago that a “sophisticated threat actor” obtained one of its certificates used to authenticate Mimecast products to Microsoft 365 (M365) Exchange Web Services, in a bid to compromise customers’ M365 tenants.

In an update yesterday, the email security vendor confirmed that this incident was related to the suspected Russian state espionage campaign centered around the compromise of SolarWinds Orion software.

However, most customers affected by this have already broken and then re-established connections with new keys, and Microsoft has disabled use of the old keys.

“Our investigation also showed that the threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the US and the UK. These credentials establish connections from Mimecast tenants to on-premises and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling and SMTP-authenticated delivery routes,” it continued.

“Although we are not aware that any of the encrypted credentials have been decrypted or misused, we are advising customers hosted in the US and UK to take precautionary steps to reset their credentials.”

Also yesterday, Fidelis Cybersecurity released a blog post explaining that it had installed an evaluation copy of the Trojanized SolarWinds Orion software on one of its machines last May. However, the machine was not running in its production environment, limiting the impact.

“Our current belief, subject to change given additional information, is that the test and evaluation machine where this software was installed was sufficiently isolated and powered up too infrequently for the attacker to take it to the next stage of the attack,” explained CISO Chris Kubic.

Another security vendor, Qualys, sent a statement to Infosecurity explaining that, in a similar way to Fidelis, it isolated the malware-laden Orion software in a test environment.

“As part of our standard research and engineering process our researchers downloaded and installed the impacted version of SolarWinds Orion software in a sandbox environment for evaluation,” it said.

“This sandbox environment is completely segregated from our production and customer data environments. Our security team conducted a detailed investigation and has confirmed there was no impact on our production environment.”

FireEye, CrowdStrike, Malwarebytes, Microsoft and Palo Alto Networks have all previously revealed how they were targeted by the attack group.

The revelations point to the sheer scale and audacity of the attackers, but also a reassuring willingness on the part of affected vendors to share any learnings with the wider cybersecurity community.

What’s hot on Infosecurity Magazine?